Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-41179 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-41179 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-41179 is an unauthenticated remote code execution vulnerability in Rclone's built-in remote control (RC) server, affecting all versions from 1.48.0 through 1.73.4.

Technical Detail

The RC endpoint operations/fsinfo is missing the AuthRequired: true flag, meaning it accepts requests from unauthenticated callers. Because the endpoint passes attacker-controlled fs parameter input directly to rc.GetFs(), which supports inline backend definitions, an attacker can instantiate an arbitrary backend configuration without any credentials. Specifically, the WebDAV backend processes a bearer_token_command field by executing it as a shell command during backend initialization, giving an unauthenticated remote attacker direct operating system command execution in the context of the Rclone process.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of May 20, 2026, and active in-the-wild exploitation has not been confirmed. However, the low complexity of exploitation combined with the availability of a PoC significantly elevates the risk of opportunistic attacks against exposed RC server instances.

Who Is Targeting This

No specific threat actor attribution at this time. Given that Rclone is widely used in cloud data management and backup workflows, environments with the RC server exposed to untrusted networks should treat this as a high-priority target of opportunity for any actor seeking initial access or data exfiltration capability.

What To Do

Upgrade Rclone to version 1.73.5 or later, which enforces authentication on the operations/fsinfo endpoint. If immediate patching is not possible, disable the RC server entirely if it is not required, or restrict access to the RC server port using host-based firewall rules or network ACLs to trusted IP addresses only. If the RC server must remain active, ensure --rc-user and --rc-pass or equivalent authentication flags are configured, and audit whether the RC server is exposed on any public or untrusted network interface. Detection should focus on unexpected outbound connections or process spawning from the Rclone process, as well as HTTP requests to the /operations/fsinfo endpoint containing fs parameters with embedded backend configuration syntax.